node-restify icon indicating copy to clipboard operation
node-restify copied to clipboard

Published 20 hours ago verified publisher icon restify

Security issue with v8.6.1

Open corinnaSchultz opened this issue 2 years ago • 3 comments

Snyk flagged this as a security vulnerability: [email protected][email protected][email protected] [email protected][email protected][email protected]

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') https://cwe.mitre.org/data/definitions/22.html

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24785

corinnaSchultz avatar Apr 26 '22 05:04 corinnaSchultz

Where is the attack vector?

kolbma avatar May 23 '22 13:05 kolbma

Sorry, all I know is what Snyk says, and just wanted to let people here know, just in case.

corinnaSchultz avatar May 23 '22 16:05 corinnaSchultz

Where is the attack vector?

We are indeed turning down our security monitoring across a wide range of projects, owing to Bunyan, which we hope indeed is not actually a clear vector in.

Our security monitoring is giving us two other alerts that we are for now muting:

  • restify-8.6.1 -> bunyan-1.8.15 -> mv-2.1.1 -> mkdirp-0.5.1 -> minimist-0.0.8 cve-2021-44906
  • restify-8.6.1 -> http-signature-1.2.0 -> jsprim-1.4.1 -> json-schema-0.2.3 cve-2021-3918

In general, it feels like it'd be super nice & everyone could sleep better if we could move from a conservative stance ("Where is the attack vector?" which we all have to re-convince ourselves on in isolation) to a "Let's upgrade it if we can" (so no teams have to think about each vulnerability) mentality. At least when there are upgrades available, just doing the work would be great. I'll try to help get the ball rolling some & submit some PRs.

Good news: bunyan is at the root of 3/4 issues here, and is replaced by pino in #1841. #1889 upgraded http-signatures to 1.3.6 which is not vulnerable. We just need a release: #1844. 🎉

pinko-fowle avatar Sep 23 '22 20:09 pinko-fowle